borg key change-location

borg [common options] key change-location [options] [REPOSITORY] KEY_LOCATION
positional arguments
  REPOSITORY  
  KEY_LOCATION select key location
optional arguments
  --keep keep the key also at the current location (default: remove it)

Common options

Description

Change the location of a borg key. The key can be stored at different locations:

keyfile: locally, usually in the home directory repokey: inside the repo (in the repo config)

Note: this command does NOT change the crypto algorithms, just the key location,
thus you must ONLY give the key location (keyfile or repokey).

borg key change-algorithm

borg [common options] key change-algorithm [options] [REPOSITORY] ALGORITHM
positional arguments
  REPOSITORY  
  ALGORITHM select key algorithm

Common options

Description

Change the algorithm we use to encrypt and authenticate the borg key.

Important: In a repokey mode (e.g. repokey-blake2) all users share the same key. In this mode upgrading to argon2 will make it impossible to access the repo for users who use an old version of borg. We recommend upgrading to the latest stable version.

Important: In a keyfile mode (e.g. keyfile-blake2) each user has their own key (in ~/.config/borg/keys). In this mode this command will only change the key used by the current user. If you want to upgrade to argon2 to strengthen security, you will have to upgrade each user’s key individually.

Your repository is encrypted and authenticated with a key that is randomly generated by borg init. The key is encrypted and authenticated with your passphrase.

We currently support two choices:

  1. argon2 - recommended. This algorithm is used by default when initialising a new repository. The key encryption key is derived from your passphrase via argon2-id. Argon2 is considered more modern and secure than pbkdf2.
  2. pbkdf2 - the legacy algorithm. Use this if you want to access your repo via old versions of borg. The key encryption key is derived from your passphrase via PBKDF2-HMAC-SHA256.

Examples:

# Upgrade an existing key to argon2
borg key change-algorithm /path/to/repo argon2
# Downgrade to pbkdf2 - use this if upgrading borg is not an option
borg key change-algorithm /path/to/repo pbkdf2

borg key change-passphrase

borg [common options] key change-passphrase [options] [REPOSITORY]
positional arguments
  REPOSITORY  

Common options

Description

The key files used for repository encryption are optionally passphrase protected. This command can be used to change this passphrase.

Please note that this command only changes the passphrase, but not any secret protected by it (like e.g. encryption/MAC keys or chunker seed). Thus, changing the passphrase after passphrase and borg key got compromised does not protect future (nor past) backups to the same repository.

Examples

# Create a key file protected repository
$ borg init --encryption=keyfile -v /path/to/repo
Initializing repository at "/path/to/repo"
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key in "/root/.config/borg/keys/mnt_backup" created.
Keep this key safe. Your data will be inaccessible without it.
Synchronizing chunks cache...
Archives: 0, w/ cached Idx: 0, w/ outdated Idx: 0, w/o cached Idx: 0.
Done.

# Change key file passphrase
$ borg key change-passphrase -v /path/to/repo
Enter passphrase for key /root/.config/borg/keys/mnt_backup:
Enter new passphrase:
Enter same passphrase again:
Remember your passphrase. Your data will be inaccessible without it.
Key updated

# Import a previously-exported key into the specified
# key file (creating or overwriting the output key)
# (keyfile repositories only)
$ BORG_KEY_FILE=/path/to/output-key borg key import /path/to/repo /path/to/exported

Fully automated using environment variables:

$ BORG_NEW_PASSPHRASE=old borg init -e=repokey repo
# now "old" is the current passphrase.
$ BORG_PASSPHRASE=old BORG_NEW_PASSPHRASE=new borg key change-passphrase repo
# now "new" is the current passphrase.

borg key export

borg [common options] key export [options] [REPOSITORY] [PATH]
positional arguments
  REPOSITORY  
  PATH where to store the backup
optional arguments
  --paper Create an export suitable for printing and later type-in
  --qr-html Create an html file suitable for printing and later type-in or qr scan

Common options

Description

If repository encryption is used, the repository is inaccessible without the key. This command allows one to backup this essential key. Note that the backup produced does not include the passphrase itself (i.e. the exported key stays encrypted). In order to regain access to a repository, one needs both the exported key and the original passphrase.

There are three backup formats. The normal backup format is suitable for digital storage as a file. The --paper backup format is optimized for printing and typing in while importing, with per line checks to reduce problems with manual input. The --qr-html creates a printable HTML template with a QR code and a copy of the --paper-formatted key.

For repositories using keyfile encryption the key is saved locally on the system that is capable of doing backups. To guard against loss of this key, the key needs to be backed up independently of the main data backup.

For repositories using the repokey encryption the key is saved in the repository in the config file. A backup is thus not strictly needed, but guards against the repository becoming inaccessible if the file is damaged for some reason.

Examples:

borg key export /path/to/repo > encrypted-key-backup
borg key export --paper /path/to/repo > encrypted-key-backup.txt
borg key export --qr-html /path/to/repo > encrypted-key-backup.html
# Or pass the output file as an argument instead of redirecting stdout:
borg key export /path/to/repo encrypted-key-backup
borg key export --paper /path/to/repo encrypted-key-backup.txt
borg key export --qr-html /path/to/repo encrypted-key-backup.html

borg key import

borg [common options] key import [options] [REPOSITORY] [PATH]
positional arguments
  REPOSITORY  
  PATH path to the backup (‘-’ to read from stdin)
optional arguments
  --paper interactively import from a backup done with --paper

Common options

Description

This command restores a key previously backed up with the export command.

If the --paper option is given, the import will be an interactive process in which each line is checked for plausibility before proceeding to the next line. For this format PATH must not be given.

For repositories using keyfile encryption, the key file which borg key import writes to depends on several factors. If the BORG_KEY_FILE environment variable is set and non-empty, borg key import creates or overwrites that file named by $BORG_KEY_FILE. Otherwise, borg key import searches in the $BORG_KEYS_DIR directory for a key file associated with the repository. If a key file is found in $BORG_KEYS_DIR, borg key import overwrites it; otherwise, borg key import creates a new key file in $BORG_KEYS_DIR.